A new threat: APT - What it is and how to combat it

In 2023, the gravest cyber threats to companies may come in the form of lurking, almost invisible attacks produced by hidden, organised networks of expert hackers.

This is the age of the APT (Advanced Persistent Threat): stealthy and continuous cyber attacks orchestrated across months or years; and unleashed on large businesses, government institutions, or high-value individuals.

APTs use sophisticated techniques that study and exploit system vulnerabilities long before an actual attack is launched. Unlike the indiscriminate hit-and-run breaches typical of ordinary cyber attacks, APTs are highly-organised, persistent, and customised for a specific target.

Where other cyber-attacks work in a matter of days, an APT can take place over months or even years, all while being actively managed by an external command and control.

APTs may be 2023’s biggest cyber threat yet – with outsize long-term impact for large companies and governments. What can you do to steer clear of this looming cyber threat?

The “A” in APT stands for advanced: their tactics and tools are the result of significant investment in time and expertise. APTs are optimised for remote command and control as well as stealth: capabilities that cannot simply be whipped up by your average hacker.

The “P” stands for persistent: they work on longer timetables than run-of-the-mill attackers. If detected, the APT team can actively adapt to countermeasures, and try new approaches using different tools or techniques to get around security protocols.

APTs work in the shadows, perpetuating well-planned exploits against specific, high-value targets. VIPs, multinational companies, or nations can be targeted for data theft, economic gains, or political advantage by these APTs, who tend to be well-funded and highly organised for the purpose.

More than 50% of APT attacks in Southeast Asia are targeted at these industries: Government (27%), Telecommunication (24%), Financial Services (16%), and High Tech (10%).¹

Because APTs work in the shadows, cybersecurity researchers have difficulty pinning down the identities and sponsors behind each attack. Based on the software used and attributed campaigns, analysts at the MITRE Corporation have listed more than 90 different APT groups around the world, covering both freelance and government-sponsored groups.²

Many have been operating for years, which speak to APT groups’ long-term goals. For instance, China-based APT group Aoqin Dragon has been “linked to attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013.”³

APT attacks occur in multiple stages, with each stage incrementally advancing the APT’s presence in one’s network.

● Infiltration: In the initial stage, the APT uses web assets, network resources, phishing emails, or authorised human users to enter the system. To hoodwink users into granting access to APTs, the latter may pull off social engineering attacks, using spear-phishing emails to inject malware into the system.⁴

● Foothold: The APT installs a backdoor that opens unauthorised access to the victim’s system; they can now gain entry at leisure. One recent exploit used legitimate NVIDIA software to launch the PCShare backdoor on the system, with the users none the wiser.⁵

● Lateral movement: Once inside, the APT attacker moves deeper into the network in search of sensitive data and other high-value assets.⁶ As APTs are playing the long game, this phase may involve privilege escalation⁷ to get better access to more parts of the network without triggering an alarm. At this stage, the APT can be very difficult to detect because it’s often disguised as normal network traffic.

● Exfiltration: The APT will store stolen data inside the system, but they’ll have to get it out sometime. In this stage, attackers will transfer the data off-premises, but will need to disguise the transfer or distract security in the process, often by pulling off a DDoS attack to keep them occupied.

In 2023, geopolitical and technological trends may encourage a sharp rise in APT attacks.⁸ Rising energy prices may force the digitalisation of many businesses and drive an exodus from on-premise infrastructure to cloud services from third-party vendors – all increasing the attack surface for APT attackers in the near future.

Companies should mount a robust anti-APT response in return. For starters, assume that the APT attack has already begun, and act accordingly.

A watchful mindset helps teams focus on behaviours and changes over time that correlate to a broader, longer-term attack. Business leaders should give their security team visibility across their IT environment, including all networks and endpoints, so they can better learn how APTs operate in real time, and learn which tools they can use to execute their plan.

The signs of an attack will become apparent as the security team observes over time. Signs like increased late-night sign-ins, multiple attacks of a similar type, and sudden increases in traffic may point to an APT incursion in progress.

Concrete steps against APTs include any of the following:

● Use a traffic monitoring/filtering solution:
collecting and analysing traffic data can help identify compromised credentials, lateral movement, and other malicious activity. These services can provide security teams with in-depth visibility over network traffic flow to detect APTs at work.

● Strengthen access control: To stop APT attackers from successfully logging into your company’s network, add safeguards against unauthorised access like strong passwords, two-factor authentication, and Google Authentication.

● Broaden endpoint visibility and analysis: closely monitor your endpoints and correlate activity across the entire network. Endpoint protection platforms examine files as they enter the network – protecting the system from malicious software, including evolving zero-day threats.

● Protect your email: update your system’s anti-phishing and anti-spam software. Tools like Singtel Email Protect can protect against spear-phishing and other email threats that APTs often use to gain access to the network.

APT detection and mitigation can be a tall order for most companies. A robust response to the threat calls for a Security Operations Center (SOC) team with access to the latest threat intelligence; only then will you be able to stay ahead of new and emerging tools, techniques and tactics used by organised threat actors and cybercriminals.

Singtel Threat Management can help companies that want to stay one step ahead of APTs. Our end-to-end security services make use of 10 federated Security Operations Centres (SOCs) worldwide and the talents of over 2,000 global cybersecurity professionals to ensure 24/7 response readiness.

Beat back the APT hordes, without needing to build and staff your own SOC, nor deal with training and recruitment. Contact us and find out how Singtel can help keep you safe from APT attacks in the long run.
 

References:

1. FireEye, Southeast Asia: An Evolving Cyber Threat Landscape, 2015.
2. MITRE ATT&CK, Groups, 2022.
3. The Hacker News, A Decade-Long Chinese Espionage Campaign Targets Southeast Asia and Australia, 2022.
4. DigitalGuardian, What Are Social Engineering Attacks? Common Attacks & How to Prevent Them, 2015.
5. GBHackers on Security, Chinese APT Hackers Attack Windows Users via FakeNarrator Malware to Implant PcShare Backdoor, 2019.
6. Crowdstrike, Lateral Movement Explained | What is Lateral Movement?, 2022.
7. Cynet, Understanding Privilege Escalation and 5 Common Attack Techniques, 2022.
8. SecurityBrief, Kaspersky predicts shifts in threat landscape to industrial control systems in 2023, 2022.